Does my OS Affect my Vulnerability to Outside Attacks?

I am a big fan of Windows XP, hence I am still running it. Since Microsoft will no longer be supporting it as of this year, I am concerned about running a more vulnerable system. Can security threats, such as hackers, detect what OS I am running? If so, are there extra measures that can help me secure my system if I choose not to upgrade my OS in the immediate future?

C> Can security threats, such as hackers, detect what OS I am running?

Yes - many attacks now are tailored to the system that they detect.

C> If so, are there extra measures that can help me secure my system
C> if I choose not to upgrade my OS in the immediate future?

Not with WinXP unfortunately :-( Won't be a problem in the first month
or two but the danger is that updates to Vista/Win7/Win8 will flag up
a vulnerability in WinXP that is a major back door into the system. If
such a way in is found then you can be sure the malware writers will
exploit it for all it's worth. With a potential 30% of desktops at
their mercy ( the current estimate of users still running WinXP ) it
would be too tempting a target to resist :-(

Only time will tell if there will be any major attacks and it might be
that nothing much will happen, but it's a huge risk to run IMHO so I'd
be looking to upgrade. Problem is that most WinXP systems are going to
struggle with Win7 or Win8 but if memory can be boosted to 2Gb or more
then that will help, however the cost of older memory is already steep
and if there's a drive to buy it then the price will climb steeply.
DDR and DDR2 memory isn't being manufactured now and a lot of early
systems were sent out with 256Mb or 512Mb sticks which are not a lot
of use when looking to boost to 2Gb or more.

Overall I'd seriously consider upgrading ASAP even if it means jumping
the Windows ship and switching to Linux - a lot of older WinXP systems
will handle Linux but you might need to experiment with different ones
to find which works best. FWIW I've set up a few older WinXP systems
with Xubuntu 12.04 and they work well on it.

Assuming that the user can afford to do this, and doesn't mind
throwing away a perfectly good system :-)

BTW - I use a Virtual Box on Kubuntu to run WinXP for a few programs
that still need it but it doesn't need internet access for that so
when 8th April rolls around I'll disable internet on WinXP and carry
on as if nothing has changed.

The answer is absolutely, yes. The only real defense is to stay off the
internet.

Having said that, if you are on the internet, make sure you have a good
firewall and AV software. If you don't have on already, get a router.
Also, do not use an any account that is an administrator. Only use one
when required and only for as long as needed. Be sure to have very
secure passwords and don't share them on multiple accounts. Practice the
rules for safe computing.

I would monitor any financial accounts (bank, credit cards, etc.) on a
regular basis.

HA> Also, do not use an any account that is an administrator. Only use
HA> one when required and only for as long as needed.

Might help but unfortunately it's just so frustrating using a limited
account on WinXP the user will be tearing their hair out soon. Can't
get away from the unpalatable truth that using WinXP on-line after 8th
April this year is going to be an increasing security risk. Exactly
how great a risk is an unknown as yet but we are going to be finding
out soon enough methinks !! As I've said before, all those vulnerable
WinXP systems are far too tempting a target for malware writers to
ignore.

I've been having excellent results using Windows XP inside a virtual
machine in Linux as users transition. There's a distribution of Linux
specifically targeted at the issue called robolinux which I recommend
(no affiliation). I find most users don't even bother starting XP after
a very short while, those that do need it for some specific Windows-only
program soon find an alternative from the wide range of free open-source
alternatives.

I can be a little aggravating. Sadly Windows security is still being worked out. Win7 isn't too horrible, but there are so many applications that either need special attention or break outright with non administrator accounts that at times granting local admin rights is the only solution. I cannot recommend simply granting it by default and giving up though. Test, be creative and you might be able to satisfy security and user convenience. Even so, it really is time to retire those XP systems.

Fortunately this problem doesn't exist for any of the *nix based systems. Security, including non admin users was built in at the beginning and application developers didn't have the option of assuming unlimited rights. With the debacle known as Windows 8, now is a good time to consider changing platforms.

Yes, hackers can detect what OS you are using and this can prove really fatal to your entire system functionality. So, do be careful.

Recently, Microsoft has issued a media statement that its security essentials will provide security updates till 2015. However, security essentials will install only on genuine XP operating system PCs. So, if you are using genuine OS, then you are safe by 50% to 70%. Otherwise, I am afraid to say that you are not.

tc> I've been having excellent results using Windows XP inside a virtual
tc> machine in Linux as users transition.

Ditto - and WinXP installs/runs a whole lot better too :-) Have a few
customers with Ubuntu and WinXP through Virtual Box and yes they tend
not to use it eventually. Personally the few programs I keep WinXP for
are used once a blue moon but it'll be worth keeping ( and disabling
internet access ) after 8th April.

Thank you all so much! The insight each of you have provided has been extremely interesting and helpful. I will certainly look into the virtual box option for running XP, but it sounds like I will need to "take my business" elsewhere eventually. I think I'll put another question out there to keep exploring and get first hand feedback, as security is an extremely important factor to me; your responses have definitely started to point me in the right direction. Thanks again!

Not quite sure I understand the logic of many of these posters. What difference does running XP in a VM make? You are still running a vulnerable OS, and anything else in that VM (your data, banking credentials etc.) is also at risk. This ONLY makes sense if you do the majority of tasks in the host OS, and only use the guest XP VM for the apps that cant be made to run on the newer host OS. For that, your best option is to use the "XP Mode" feature of Windows 7 (http://windows.microsoft.com/en-us/windows7/install-and-use-windows-xp-mode-in-windows-7).

The poster said they like XP, so I'm not sure how blindly jumping to a Linux distro is the answer (and dont believe the tired rhetoric that OSS is inherently safer than Windows). The closest thing to XP is Windows 7. It is way more secure than XP, and fully supported with security fixes. It also gets around the issue of running as admin/standard user via the restricted admin token and elevation when required (UAC). Windows 8 is more secure again, but has a very different UI that you wont like if you are an XP fan.

Back to the question - there is almost nothing you can do to make XP secure. Firewalls and AV wont save you when you browse to a malicious web site. Installing EMET (http://www.microsoft.com/en-us/download/details.aspx?id=41138) can help, but is not a substitute to running a fully patched OS. XP is tired, let it R.I.P. Update to a modern version of Windows.

Some good suggestions but you're forgetting one thing. Its been suggested that many Black Hats and other nefarious groups may be sitting on already discovered (but unannounced) zero-day vulnerabilities, specific to Windows XP. Once April rolls around no one running XP will be safe from these unknown exploits. Anti-Virus and Microsoft Security Essential updates will be useless. Don't forget these tools are reactive technologies meaning they're always behind the curve. My advice is to get off this ancient operating system and let it die. Microsoft's biggest mistake was extending support. It simply postponed the inevitable. It sounds harsh, but its reality. Windows XP is like Swiss Cheese. You can paint it, patch it, dress it up. But in the end if it walks like a duck, if it quacks like a duck its a dead duck!

Totally agree Tom - not sure about the 0 days though. By definition, there is no patch against a 0 day - so it makes no difference whether the OS is in or out of security update support. 0 days are valuable commodities, and tend to be reserved for highly targeted attacks. Why waste them when "click on this link to see the dancing pigs" works equally well?
That said, every time a bug is found in a supported version of Windows, XP will be tested for the same flaw, and XP will become a very soft target indeed...

I agree that people should be getting off of XP, but if someone is going to
choose to continue running it, what the VM concept can add is:

- protection from incoming traffic and direct attacks if the VM uses NAT
mode rather than bridge
- the possibility of running an immutable image (one that resets back to a
pristine state after every boot). That doesn't prevent exposure but it does
make cleanup easy, and any foothold an attacker gains would be temporary.
- the ability to slowly migrate any applications to your new platform
- the ability to isolate the VM from some attacks by using whatever
features are present in the host OS
- if the VM is only used for a specific purpose and you know it's never
going to have to see any new hardware or support any new applications then
you can strip the the guest OS down to a bare minimum of drivers and DLLs
to minimize the attack surface.

I wouldn't recommend staying with XP, but if you were going to do it
anyway, I'd recommend a VM over keeping it on bare metal. Both for the
ability to run on newer faster hardware, and for the little bit of extra
security that can be had (if you put the effort in).

For app compat it may make sense, although I would seriously doubt that the extra effort and resources could be justified by an individual user (and for an enterprise, app or desktop virtualization of the legacy apps would be more cost effective).
I think the question was "I like XP - can I keep using it safely?", and the answer is no... (with or without virtualization)

Like a lot of other folks have suggested, I tend to rotate between OS's depending on routine, so I often run Ubuntu with a VMware installation to launch Windows when I need to use more mainstream programs or want to do some modest gaming, or an OSX instance for when I do more music or graphic design. The nice thing is that generally there aren't too many vulnerabilities that affect a Linux box, possibly because its a cleaner OS in terms of back processes that can be overridden or corrupted by malware. The advantage of having the virtual machine is that even if something goes horribly wrong in terms of malware or virus attacks, you can simply wipe it, as its a self-contained system.

This is why I feel we are going to see a huge spike in Virtual Desktop services from cloud providers for folks who want to keep their XP instances up and running without wanting the risks associated with end of life support.

If the only risk was to the availability and usability of the XP VM itself, your point is completely valid. If the VM gets compromised, just start again or rollback to the last known good snapshot. Bear in mind that the vulnerability that allowed you to get popped last time wont be getting fixed, so expect to have to do this periodically (and ask yourself if it is really worth it).

The bigger risk is exposing your data, credentials, identity, banking details etc to whoever is now controlling your machine. Virtualization buys you absolutely nothing in reducing these risks if you virtualize XP. No cloud provider in their right mind would offer the service of hosting an obsolete and unsupported product - given that they will take the heat when things go wrong.

XP users need to bite the bullet and move to Win 7/8, or another platform if they really dont like Windows. I dont buy the argument that "it wont run on my 386 with 4 MB of RAM whereas Linux will..." Windows 7 is nearly 5 years old, and will easily run on hardware 2-3 years older than that. If you still have hardware of that vintage, dont expect too many years service out of it. Time to move on folks...

If you are still running windows XP, you have set yourself up for failure.
XP was a great OS, 14 years ago. Traceroute, Nmap, and a dozen other
network mapping programs will tell me which operating system you are
running, even behind a firewall. Each OS has its own way of answering ACK
and SYN requests. We call it "OS fingerprinting" because we can send a
connection request to your IP address and every OS will respond slightly
differently, allowing us to determine which OS you are running.

As soon as I know which OS you are running (and which update or service
pack is applied), I can look up vulnerability databases to see which
exploits (payloads) you are exposed to. XP has lots of vulnerabilities and
we've had a long time to poke at it to locate almost all of them. Microsoft
is aware of some serious security flaws with XP but it isn't worth their
time to patch them since they are several generations of OSs past XP.

If you go to http://cve.mitre.org/ you will see one of several databases
for Common Vulnerabilities and Exposures. This particular program is run by
the U.S. government and is freely available to anyone. You can hunt for all
kinds of bugs and security problems there. We also have hacking databases
out there that are run by other people. Grab a copy of Metasploit (Kali)
and let that framework discover your vulnerabilities for you. It is a free
package and has it's own modules for locating and running exploits against
someone else.

Copyright 1998-2015 Ziff Davis, LLC (Toolbox.com). All rights reserved. All product names are trademarks of their respective companies. Toolbox.com is not
affiliated with or endorsed by any company listed at this site.